Georgia Passes Anti-Infosec Legislation

Despite the full-throated objections of the cybersecurity community, the Georgia legislature has passed a bill that would open independent researchers who identify vulnerabilities in computer systems to prosecution and up to a year in jail.

EFF calls upon Georgia Gov. Nathan Deal to veto S.B. 315 as soon as it lands on his desk.

For months, advocates such as Electronic Frontiers Georgia, have descended on the state Capitol to oppose S.B. 315, which would create a new crime of “unauthorized access” to computer systems. While lawmakers did make a major concession by exempting terms of service violations under the measure—an exception we’ve been asking Congress for years to carve out of the federal Computer Fraud & Abuse Act (CFAA)—the bill stills fall short of ensuring that researchers aren’t targeted by overzealous prosecutors. This has too often been the case under CFAA.

“Basically, if you’re looking for vulnerabilities in a non-destructive way, even if you’re ethically reporting them—especially if you’re ethically reporting them—suddenly you’re a criminal if this bill passes into law,” EF Georgia’s Scott Jones told us in February.

Andy Green, a lecturer in information security and assurance at Kennesaw State University concurred.

“I’m putting research on hold with college undergrad students because it may open them up to criminal penalties,” Green told the Parallax. “It’s definitely giving me pause right now.”

Up until this week, Georgia has positioned itself as a hub for cybersecurity research, with well-regarded university departments developing future experts and the state investing $35 million to expand the state’s cybersecurity training complex. That is one reason it’s so unfortunate that lawmakers would pass a bill that would deliberately chill workers in the field. Cybersecurity firms—and other tech companies—considering relocations to Georgia will likely think twice about moving to a state that is so hostile and short-sighted when it comes to security research.

S.B. 315 is a dangerous bill with ramifications far beyond what the legislature imagined, including discouraging researchers from coming forward with vulnerabilities they discover in critical systems. It’s time for Governor Deal to step in and listen to the cybersecurity experts who keep our data safe, rather than lawmakers looking to score political points.

Related Updates

There’s a lot of legitimate concern these days about Internet giants and the lack of competition in the technology sector. It’s still easy and cheap to put up a website, build an app, or organize a group of people online, but a few large corporations have outsized power over the...

Whistleblower Chelsea Manning was released from prison more than a year ago, after former President Barack Obama commuted her sentence for releasing military and diplomatic records to WikiLeaks. But her case still continues, as Manning wants to appeal her original conviction—including one charge under a controversial a federal...

In a letter to Georgia Gov. Nathan Deal, 55 cybersecurity professionals from around the country are calling for a veto for S.B. 315, a state bill that would give prosecutors new power to target independent security researchers. This isn’t just a matter of solidarity among those in the profession...

Last weekend’s Cambridge Analytica news—that the company was able to access tens of millions of users’ data by paying low-wage workers on Amazon’s Mechanical Turk to take a Facebook survey, which gave Cambridge Analytica access to Facebook’s dossier on each of those turkers’ Facebook friends—has hammered home two problems: first...

A misguided bill in Georgia (S.B. 315) threatens to criminalize independent computer security research and punish ordinary technology users who violate fine-print terms of service clauses. S.B. 315 is currently making its way through the state’s legislature amid uproar and resistance that its sponsors might not have fully anticipated...

Good news out of the Ninth Circuit: the federal court of appeals heeded EFF’s advice and rejected an attempt by Oracle to hold a company criminally liable for accessing Oracle’s website in a manner it didn’t like. The court ruled back in 2012 that merely violating a...

The latest on the Computer Fraud and Abuse Act? It’s still terrible. And this year, the detrimental impacts of the notoriously vague and outdated criminal computer crime statute showed themselves loud and clear. The statute lies at the heart of the Equifax breach, which might have been averted if...

EFF, together with our friends DuckDuckGo and the Internet Archive, filed an amicus brief urging the Ninth Circuit Court of Appeals to reject LinkedIn’s request to transform the CFAA from a law meant to target serious computer break-ins into a tool for enforcing its computer use policies.
The...

EFF is fighting another attempt by a giant corporation to take advantage of our poorly drafted federal computer crime statute for commercial advantage—without any regard for the impact on the rest of us. This time the culprit is LinkedIn. The social networking giant wants violations of its corporate policy...

On November 4 and 5, the Internet Archive will host the Fifth Annual Aaron Swartz Day and Hackathon. Aaron would have turned 31 on November 8. The late activist, political organizer, programmer, and entrepreneur was a dear friend of EFF’s who made a lasting imprint on the Internet and...